[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Hacker strikes through student's router



On Tue, Nov 08, 2005 at 10:14:31PM -0500, Anthony DiPierro wrote:
> How hard would it be to run a Tor exit node which accepts GET requests but
> not POST requests? Or, possibly, POST requests could simply be passed on to
> another Tor exit node? Would it be ethical to do this? You'd have to examine
> the traffic to see if it was a GET or a POST, but you wouldn't have to store
> anything.

The difference between filtering by transport-layer headers (e.g. port
number) and filtering by application-layer headers (e.g. HTTP request
type) is one of degree, not one of kind.  Whether it is ethical to do
this is debatable.  However, right now there does not exist a way to
describe this sort of filtering in the exit policy, and thus may degrade
client performance.  Also, it is not possible (without substantial
modification to Tor) to simply pass along the request to another Tor
node, since this would mean somehow extending the circuit and
reattaching the stream in-flight!

Intuitively, if there were a magical box that could filter out "evil"
traffic while allowing all "good" traffic to pass, it would be great to
deploy it at every exit node.  However, the nature of communication is
such that this is either difficult or impossible to quantify.

A more pressing problem that still needs to be addressed is, how do we
deal with cases in which such filtering is happening already?  Not only
can Tor node operators firewall their exits, but their upstream ISPs can
null-route traffic to particular destinations...

Geoff

Attachment: signature.asc
Description: Digital signature